Skip to main content
Exchange ProxyShell: Domain-Wide Ransomware operation cover
COMING SOONIntermediatePRO

Exchange ProxyShell: Domain-Wide Ransomware

An internet-facing Exchange server falls to ProxyShell, dropping ASPX web shells that run as SYSTEM. The attacker re-enables a built-in account, dumps LSASS with a Windows DLL, tunnels out with Plink and FRP, moves laterally over RDP, and encrypts the domain with its own BitLocker and DiskCryptor, no ransomware binary in sight. Work the Exchange logs, the endpoint process tree, and the perimeter traffic to reconstruct the intrusion.

1h
6 tasks
50 points
Pro

Launches in 5 days

Jul 7, 2026

Tuesday, July 7, 2026 at 9:00 AM

View Pro plans

Pro unlocks this operation at launch.

Training Tools

SIEMXDRFirewall

What you'll investigate

6 objectives unlock when this operation goes live.

1Find the foothold
2Name the implant
3Catch the privileged account
4Expose the credential theft
5Trace the tunnel out
6Classify the impact

Be first when it launches

Create your account and grab Pro before launch. The moment this operation goes live on Jul 7, 2026, you can jump straight in.

Get Started Free

No credit card required — free forever